Digitally based multimedia, the combination of video and audio in a digital format for viewing on a digital device is rapidly increasing in capacity and proliferation. Nearly every new personal computer manufactured today includes some form of multimedia. Sales of digital products such as cameras, video recorders, phones and televisions are steadily increasing. Multimedia is also becoming increasingly prevalent in the Internet realm as the growth of the Internet steadily and rapidly continues. Along with this growth has come increased performance expectations by the users of such computer equipment. These increased user expectations extend not only to hardware capability, but also to the processing capability of the data itself.
A technique known as streaming has been developed for multimedia applications to satisfy these increasing expectations. Streaming allows data to be transferred so that it can be processed as a steady and continuous stream. This has the benefit that data can be displayed or listened to before the entire file has been transmitted, a must for large multimedia files and for real-time media such as audio and video data.
One problem with streaming, and sending media in general, is passing the media across a network boundary. A network boundary is used to prevent undesirable penetration of a network. A network boundary is typically defined as an entity that physically terminates one network and/or interfaces with another network and that terminates one logical address space of one network and starts another logical address space in the other network. Industry responded to this problem and developed signaling protocols to send the media. Many signaling protocols used to send media implement signaling and session initiation on a primary channel with well-known address information and have provisions for initiation of media transfer on one or more secondary channels. The address information on the secondary channels is not fixed and is assigned dynamically. Because of the ephemeral nature of port assignments to the secondary channels, the network perimeter cannot be statically configured to allow for passage of media through the network perimeter. As a result, controlled opening and closing of “holes” in the perimeter must be implemented. In a point-to-point session, media can be originated on either end. If the endpoints are topologically located on different sides of the network perimeter, both endpoints may effect individual firewalls as a solution to let media pass through to the other endpoint.
Industry responded to this problem. Most multimedia sent over public networks typically use IP protocols. Multimedia data sent over IP protocols embed the IP addresses and ports in the protocol messages. One solution developed is to use an application level gateway (ALG) firewall. ALG firewalls are application aware firewalls that examine application protocol flows and only allow messages that conform to security policies to pass through. This type of firewall requires knowledge of the protocol so that it can extract, alter, or use address information (e.g., IP address and port). The ALG firewall can be designed to be protocol-aware for specific protocols. However, such ALG firewalls are potential bottlenecks in the network since they require additional logic and processing to parse and understand the application protocol.
Additionally, in systems where multimedia security schemes are implemented, the ALG firewall may not work. For example, if protocol messages are encrypted and the ALG firewall is not a trusted entity in possession of the necessary keys and algorithms, the ALG firewall will be unable to determine routing, security, etc. and will fail. Additionally, most firewalls deployed in networks today are not multimedia protocol-aware. These firewalls would have to be upgraded to become protocol-aware, which would be prohibitively expensive. Furthermore, in actual network operating environments, a series of firewalls and NAT devices is usually deployed along the traversal path of the multimedia streams. In order to ensure multimedia traversal, each firewall needs to be a protocol-aware ALG firewall. This means new investments and control changes to already deployed firewalls. As new versions of protocols are frequently released, the ALG firewalls need to be frequently upgraded to support new protocol versions. These control changes and frequent updates can lead to security breaches in the firewall, opening up a network to attacks.